A glaring security flaw built into the latest version of Apple’s desktop operating system has made it possible for anyone to log into any computer running macOS High Sierra. The vulnerability was revealed midday Tuesday.
According to a post on Twitter by Lemi Orhan Ergin (and since confirmed by Fortune), Apple computers can be logged into using the “root” username accompanied by a blank no password. The bug may not work the first time the user clicks “unlock” but upon subsequent attempts the system will accept the login credentials.
You can access it via System Preferences>Users & Groups>Click the lock to make changes. Then use "root" with no password. And try it for several times. Result is unbelievable! pic.twitter.com/m11qrEvECs
— Lemi Orhan Ergin (@lemiorhan) November 28, 2017
Apple responded to Ergin’s tweet an hour after he made his post. In a statement to Fortune, an Apple spokesperson said the company was working on a software update to address this issue. In the meantime it recommends that affected users set a root password to prevent unauthorized access to their Macs:
To enable the Root User and set a password, please follow the instructions here: https://support.apple.com/en-us/HT204012. If a Root User is already enabled, to ensure a blank password is not set, please follow the instructions from the ‘Change the root password’ section.
MacOS’s Root User is system administrator or “superuser” account intended for making changes to files that are typically protected by Apple’s operating system. Most users have not enabled the root user account, one reason that makes this flaw all the more troubling. Thankfully a simple change of password should resolve the issue.
